CVE-2026-42316 KQL injection via kusto.tables.topics.mapping in kafka-sink-azure-kusto

kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer Kusto. Prior to 5.2.3, kafka-sink-azure-kusto did not sanitize user-controlled values inside the kusto.tables.topics.mapping configuration. The db, table, mapping, and format fields of each mapping...

CVE-2026-42316

kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer Kusto. Prior to 5.2.3, kafka-sink-azure-kusto did not sanitize user-controlled values inside the kusto.tables.topics.mapping configuration. The db, table, mapping, and format fields of each mapping...

CVE-2026-42316

Summary: The kafka-sink-azure-kusto Kafka Connect plugin (Microsoft’s sink for Azure Data Explorer) is affected by a KQL injection vulnerability in the kusto.tables.topics.mapping configuration. Before version 5.2.3, db/table/mapping/format fields were interpolated directly into KQL commands via ...

SUSE CVE-2026-43462

In the Linux kernel, the following vulnerability has been resolved: net: spacemit: Fix error handling in emactxmemmap The DMA mappings were leaked on mapping error. Free them with the existing emacfreetxbuf function...

kernel: crypto: algif_aead - Revert to operating out-of-place

A flaw was found in the Linux kernel's algifaead cryptographic algorithm interface. An incorrect in-place operation causes source and destination data mappings to differ during cryptographic processing. A low-privileged local attacker can exploit this flaw to corrupt the contents of sensitive...

kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling

A flaw was found in the Linux kernel's Kernel-based Virtual Machine KVM component. A local attacker with privileges on the host system could exploit a vulnerability in how KVM handles shadow page table entries SPTEs during memory-mapped I/O MMIO operations. By manipulating guest page table entrie...

PT-2026-39660

kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer Kusto. Prior to 5.2.3, kafka-sink-azure-kusto did not sanitize user-controlled values inside the kusto.tables.topics.mapping configuration. The db, table, mapping, and format fields of each mapping...

Microsoft Azure Data Explorer Kafka Connect Kusto Sink Connector 安全漏洞

The Microsoft Azure Data Explorer Kafka Connect Kusto Sink Connector is an open-source Kafka data synchronization connector to Azure Big Data Analysis databases. Versions of the Kusto Sink Connector prior to version 5.2.3 have security vulnerabilities. These vulnerabilities stem from uncleaned...

Unity Linux 20.1060e / 20.1070e Security Update: samba (UTSA-2026-017656)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017656 advisory. A flaw was found in samba. The Samba smbd file server must map Windows group identities SIDs into unix group ids gids. The code that performs this had a flaw that...

PHP 代码问题漏洞

PHP is an open-source scripting language executed on the server side. There were code vulnerabilities in versions prior to PHP 8.2.31, 8.3.31, 8.4.21, and 8.5.6. These vulnerabilities stemmed from a flaw where, when the SOAP server was configured with type mapping, incorrect variables were checke...

SUSE CVE-2026-43124

In the Linux kernel, the following vulnerability has been resolved: pstore: ramcore: fix incorrect success return when vmap fails In persistentramvmap, vmap may return NULL on failure. If offset is non-zero, adding offsetinpagestart causes the function to return a non-NULL pointer even though the...

CVE-2026-42345 FastGPT: Cloud metadata endpoint SSRF protection bypass via port specification, IPv6 mapping, hex/decimal IP encoding, and trailing dot

FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith check against a hardcoded list. This check can be bypassed using at least 7 different...

CVE-2026-42345

FastGPT (version 4.14.11 and earlier) exposes an SSRF risk in isInternalAddress() (packages/service/common/system/utils.ts) where a fullUrl.startsWith() hardcoded blocklist can be bypassed by at least 7 URL-encoding techniques that resolve to the cloud metadata endpoint. The broader private IP ch...

CVE-2026-41938

Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can uploa...

CVE-2026-43348

A flaw was found in the Linux kernel's mshvvtl component. When registering VTL0 memory, an issue with memory mapping calculations can cause the system to trigger a warning and return an invalid argument error. This could lead to system instability or a denial of service DoS, preventing legitimate...

CVE-2026-41883

OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution RCE. This affects applications that use CDNResourceHandler with a wildcard CDN mapping e.g...

CVE-2026-42030

MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The...

CVE-2026-42030 MapServer: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in OpenLayers viewer

MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The...

CVE-2026-41883 OmniFaces: EL injection via crafted resource name in wildcard CDN mapping

OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution RCE. This affects applications that use CDNResourceHandler with a wildcard CDN mapping e.g...

CVE-2026-41883 OmniFaces: EL injection via crafted resource name in wildcard CDN mapping

OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution RCE. This affects applications that use CDNResourceHandler with a wildcard CDN mapping e.g...